Privacy Policy of UK Magic Officials
This policy sets out how UK Magic Officials (“the Organisation”, “we”) uses, obtains, protects, and deletes personal data. The Organisation complies with EU Regulation 2016/679 (the General Data Protection, “EU-GDPR”), that regulation as transferred into UK law on 31/12/2020 and subsequently amended (“UK-GDPR”), and the Data Protection Act 2018. We will generally refer to these collectively as “GDPR”, but may refer to them separately as context requires.
Who are we?
We are UK Magic Officials. Our email address is contact@magicofficials.uk.
What is processing personal data?
Whilst the natural meaning of “processing” data might normally be taken to mean analysing large sets of data by automated means to make decisions, the GDPR legal definition of processing data is wider. When we refer to “processing” data, this includes:
- Collecting data
- Storing data
- Consulting or retrieving data
- Disclosing data to another party
- Organising data
- Altering or erasing data
- Destroying data
“Personal data” means any information relating to a person (a “data subject”) who can be identified, directly or indirectly, including by reference to a name, identification number, or online identifier.
This means that, for example, if you send us an email signed with your name, we will be processing your personal data because your name and email address will be stored on servers we control.
Categories of personal data processed
The Organisation may process personal data in the following categories:
- Names of members, potential members, enquirers, or customers
- Postal addresses
- Email addresses
- Telephone numbers
- Dates of birth
- Other contact details
- Payment account details
- Qualifications, certifications, membership levels, examination results, lists of examinations or questions seen or used by a member
- Lists of events in which members have participated or in which they have applied to participate, and their roles or duties at these events
- Reviews and appraisals of members’ performance at events or in other contexts
- Training and education records
- Recommendations that members should, or should not, be granted a certification
- The contents and recordings of presentations made by members at our conferences and events
- Technical details identifying the browser, computer, device, or IP address used to access our website or other resources, as well as the route via which a user arrived at our website
- Particulars of whether messages sent by the Organisation were opened and/or read, and whether any links within those messages were opened
- Comments and posts shared on our discussion tools, such as forums, chatrooms, or Discords
We may also collect other personal data incidental to the above. Please see the Special Category Data below for additional details of data we may collect.
Where we obtain the data
We obtain data from:
- The data subject themselves
- Other members
- Members of other organisations with which we work
- Event staff
Whom we disclose the data to
We disclose personal data to:
- The data subject themselves
- Event organisers and staff
- Other members
- Other organisations of a similar character
We may also disclose limited personal data to the general public; for example, we may confirm to someone making an enquiry whether a person they name is or is not a member of the Organisation.
In all cases, we only disclose data where there is a good reason to do so.
Where data are stored and how they are kept secure
In general, the organisation’s data are stored using cloud storage. Providers may include Google, Apple, or Microsoft. It’s possible that they will store data on our behalf outside of the UK and European Union. We will endeavour to ensure that they keep these data as secure as if they were held under UK/EU standards, but our limited economic and bargaining power mean that we may not be able to obtain enforceable rights or standard contractual clauses in our favour.
The organisation may control one or more discussion or chat tools such as a Discord. Where it does, and this is hosted outside the UK/EU, your participation in the tool indicates your consent to the processing and storage of your data outside the UK/EU. We will display a prominent notice to this effect on any tool to which this applies.
Our data processors
We may use third party data processors to process data. You will have the same rights as respects such data as you have as respects data we process directly.
Automated decision-making
We do not use automated decision-making with any personal data. Should we do so in the future, we will update this policy to say so, and we will always give anyone adversely affected by an automated decision the right to have that decision reviewed by a human operator.
The legal bases for processing your data
GDPR requires that we specify which of six legal bases we use for processing your personal data. These are:
- Consent
We process your personal data where you have given us your consent to do so. You can give consent explicitly or implicitly. For example, when you post on a discussion forum we run, you are giving your implicit consent to us publishing your post. As another example, you might give us your explicit consent, via a tick-box or survey, for us to share your contact data with tournament organisers who have told us that they are looking for event staff.
You can freely withdraw consent at any time. If you withdraw consent to your data being processed, we will stop processing those data unless we are also processing them under a different legal basis. In some cases, we will give you the tools to remove your data yourself; for example, in a Discord you can delete messages you have previously written.
- Performance of a contract
We process your personal data where it’s necessary to do so for a contract you’ve entered into, or at your request in advance of entering into such a contract. For example, if you decide to purchase goods from us, we will be processing your payment and shipping details under this legal basis.
- Legal obligation
We might process personal data where we have a legal obligation to do so. For example, if you are elected a director, we will be legally obliged to provide your personal information to Companies House for enrolment on their records, and they will publish it. We’re also legally obliged to send all company members notice of certain company events and procedures.
- Public task
We do not process personal data to perform public tasks.
- Vital interests
This basis allows us to process your personal data where a person’s life or health is at serious risk. We do not envisage it as likely that we will process data under this basis, though perhaps if someone attending one of the Organisation’s events were to unexpectedly collapse and we were aware of a health condition they had posted about on our forum, we might disclose this condition to paramedics under this legal basis.
- Legitimate interests
We can process personal data where it is in the legitimate interests of our organisation to do so, with the exception of where the data subject’s interests clearly outweigh ours.
An example of processing in our legitimate interests is that we may pass on a message from a tournament organiser looking for staff at their event to a member eligible to staff that event. Another is that we may retain the names, addresses, and contact details of members for a period of time after they resign their membership, to allow us to claim a contribution of £1 from them towards the company’s debts if it is wound-up within one year of their membership ending.
Special category data
Special category data is a technical term for sensitive personal data that requires more protection.
As an organisation we do not generally seek to collect, process, or retain special category data about our members, or anyone else. However, we understand that we may come into possession of, and become the data controller of, special category data, primarily by means of posts or contributions to forums or chats that we run. It may also be possible to infer special category data from other data we collect.
We may decide to hold events for, or take part in, “Pride” or similar. We might ask members participating in such events to opt to disclose special category data about themselves.
The types of special category data we may, therefore, hold include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade Union membership
- Health data
- Data concerning a person’s sex life or sexual orientation
Again, we emphasise that we do not go out looking for, actively collect, or make decisions based on any of these things, but we think it likely that members might at some point post about them in our chatrooms or forums. The GDPR says that if these pieces of information are stored on a system that we control, we are legally deemed to be “processing” those data, and we have to say we’re doing so in our privacy policy.
We do not expect that we will hold data about,
- Genetics
- Biometrics
Our Article 9 bases for processing special category data are:
- (a) explicit consent
- (d) processing of data about members of a not-for-profit body; and
- (e) data have been made public by the data subject
Criminal offence data
We do not actively seek out information about criminal offences, but if we become aware that a member has committed one or more criminal offences that may tend to discredit the Organisation, we may process that data on a strictly need to know basis and only for the purpose of assessing and deciding whether such person should remain a member and on what terms.
In this respect, we rely on the following conditions in Schedule 1 to the DPA 2018 for processing this data:
- 11 Protecting the public against dishonesty
- 18 Safeguarding of children and individuals at risk
Your data protection rights
Under data protection law, you can exercise one or more of the following rights. If you feel you need to exercise any of them, we would first suggest you contact us informally to discuss the particular requirement you have. However, if you wish to make a formal request, you should send it by email to the above address.
Right of access
You have the right to ask us for a copy of some or all of the personal information we hold about you. Most such data is disclosable, but some exemptions apply under GDPR. For example, we’re entitled to refuse you access to:
- Information that may tend to identify another individual, unless we are able to redact the data so that that individual can’t be identified, or we have that individual’s consent to disclose the data to you, or it would be reasonable in all the circumstances to disclose the information without such consent.
- References or recommendations given in confidence in connection with education, training, or employment, provision of a service, placement as a volunteer, or appointment to an office. We additionally have the right to refuse to tell you whether such references or recommendations exist.
Right to rectification
Should you be of the belief that personal information we hold about you isn’t accurate or complete, you have the right to ask us to rectify or complete it.
Right of erasure
In certain circumstances you have the right to ask us to erase your personal data. We will still be able to retain certain data if we have a legal basis to do so.
If you are a member and choose to exercise your right to erasure with respect to certain data, it may mean we are unable to continue your membership. Should this happen we will let you know and offer you the option to amend your request.
Restriction of processing/blocking
In certain circumstances you have the right to ask us to restrict the processing of your personal information, or to block or suspend processing pending the exercise of other rights.
If you are a member and choose to exercise your right to restriction/blocking with respect to certain data, it may mean we are unable to continue your membership. Should this happen we will let you know and offer you the option to amend your request.
Data portability
You have the right to ask us to transfer some of the personal information we hold about you to another organisation. This might arise for example if you move out of the geographical area we cover and you would like us to transfer your certification record to an organisation similar to us in the area where you move to.
Fees and process
There are no fees attached to exercising the above rights, save that we may charge a reasonable administration fee if you make excessive, repetitious, or vexatious requests. If you make a request, we will have 1 month to respond. This 1-month period can be suspended for certain reasons, such as where we require verification of your identity, and extended to up to 3 months where processing your request is especially onerous or time-consuming.
Complaints
You have the right to complain if you feel we haven’t followed our privacy policy, or the law. If you want to do this, please contact us at the details above in the first instance. If you are dissatisfied with how we have handled your complaint you can raise a complaint to the Information Commissioner’s Office (ICO) via their website at www.ico.org.uk.
Deletion of data
We will delete personal data when we no longer have a legal basis for processing them. For administrative convenience we may perform periodic “deletion runs” rather than deleting individual pieces of data ad-hoc.
We will delete personal data where an individual data subject has requested we do so, and we do not have a legal basis for retaining it. Note that abiding by certain such requests may result in us being unable to continue offering membership to the data subject. We will warn you should you make such a request, and offer you the opportunity to amend or withdraw it.
Reviews and updates to this policy
We will review this policy at least every three years to check it is still compliant, accurate, and up to date. We will always publish the current version of the policy on our website, and will make efforts to bring major changes to members’ attention.